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Certificate : := SEQUENCE { 

tbsCertificate TBSCertif icate, 

signatureAlgorithm Algorithmldentif ier , 

signature BIT STRING } 



TBSCertif icate ::= SEQUENCE 
version [0] 
serialNumber 
signature 
issuer 
validity 
sub j ect 

subj ectPublicKeylnf o 
issuerUniquelD [1] 
subjectUniquelD [2] 
extensions [3] 



{ 

Version DEFAULT vl, 

Certif icateSerialNumber, 

Algorithmldentif ier , 

Name, 

Validity, 

Name, 

Subj ectPublicKeylnf o , 
IMPLICIT Uniqueldentif ier OPTIONAL, 
IMPLICIT Uniqueldentif ier OPTIONAL, 
Extensions OPTIONAL } 



Version ::= INTEGER { vl(0), v2(l), v3(2) } 

Certif icateSerialNumber ::= INTEGER 

Validity : := SEQUENCE { 

notBefore Time, 

notAfter Time } 



Time : : = CHOICE { 
utcTime 
generalTime 

Uniqueldentif ier 



UTCTime , 

General izedTime } 



:= BIT STRING 



Subj ectPublicKey Info : 
algorithm 
subj ectPublicKey 



SEQUENCE { 

Algor ithmldent if ier , 
BIT STRING } 



Extensio: 



SEQUENCE SIZE (1..MAX) OF Extension 



Extension ::= SEQUENCE 
extnID 
critical 
extnValue 



OBJECT IDENTIFIER, 
BOOLEAN DEFAULT FALSE, 
OCTET STRING } 
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AttributeCertif icate ::= SEQUENCE { 

acinfo AttributeCertif icatelnfo, 

signatureAlgorithm Algorithmldentif ier, 
signatureValue BIT STRING 

} 



AttributeCertif icatelnfo 
version 
holder 
issuer 
signature 
serialNumber 
attrCertValidityPeriod 
attributes 
issuerUniquelD 
extensions 



SEQUENCE { 
AttCertVersion DEFAULT vl, 
Holder, 

AttCertlssuer, 
Algorithmldentif ier, 
Certif icateSerialNumber , 
AttCertValidityPeriod, 
SEQUENCE OF Attribute, 
Unique Identifier OPTIONAL, 
Extensions OPTIONAL 



AttCertVersion 



INTEGER { Vl (0) , v2 (1) } 



Holder : : = SEQUENCE { 

baseCertif icatelD 



entityName 

obj ectDigestlnf o 



[0] IssuerSerial OPTIONAL, 

-- the issuer and serial number of 

-- the holder's Public Key Certificate 

[1] GeneralNames OPTIONAL, 

-- the name of the claimant or role 

[2] Obj ectDigestlnf o OPTIONAL 

-- if present, version must be v2 



Obj ectDigestlnf o ::= SEQUENCE { 

digestedObjectType ENUMERATED 
publicKey 
publicKeyCert 
otherOb j ectTypes 



otherOb j ectTypelD 

digestAlgorithm 

objectDigest 



(0) , 

(1) , 

(2) }, 

-- otherOb j ectTypes MUST NOT 
--be used in this profile 
OBJECT IDENTIFIER OPTIONAL, 
Algori thmldent if ier , 
BIT STRING 
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AttCertlssuer ::= CHOICE { 

vlForm GeneralNames, - v1 orv2 

v2Form [0] V2Form -v2only 

} 

V2Form ::= SEQUENCE { 

issuerName GeneralNames OPTIONAL, 

baseCertificatelD [0] IssuerSerial OPTIONAL, 
objectDigestlnfo [1] ObjectDigestlnfo OPTIONAL 

-- at least one of issuerName, baseCertificatelD 
-- or objectDigestlnfo MUST be present} 

IssuerSerial ::= SEQUENCE { 
issuer GeneralNames, 
serial CertificateSerialNumber, 
issuerUID Uniqueldentifier OPTIONAL 

} 

AttCertValidityPeriod ::= SEQUENCE { 
notBeforeTime GeneralizedTime, 
notAfterTime GeneralizedTime 

} 

Attribute ::= SEQUENCE { 
type AttributeType, 
values SET OF AttributeValue 

~ at least one value is required 

} 

AttributeType ::= OBJECT IDENTIFIER 
AttributeValue ::= ANY DEFINED BY AttributeType 
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} 



FIG. 4D 

(PRIOR ART) 



U.S. Serial Number 09/821 ,079 Atty. Docket # AUS92001 0064US1 
Benantar 

Method and system for public-key-based secure authentication to 
distributed legacy applications 

8/10 



ATTRIBUTE CERTIFICATE AUTHORITY 
520 



W 



REQUEST FOR 
ATTRIBUTE CERTIFICATE 
518 



ENCRYPTED 
AUTHORIZATION 
ATTRIBUTES 
516 



ATTRIBUTE CERTIFICATE 
522 



ENCRYPTED 
AUTHORIZATION 
ATTRIBUTES 
516 



/AUTHENTICATION DATA / 
514 / 

USERID / 

PASSWORD / 



LDAP DIRECTORY 
506 



APPLICATION SERVER 
PUBLIC KEY CERTIFICATE 
504 




ATTRIBUTE CERTIFICATE 


522 




ENCRYPTED 






AUTHORIZATION 






ATTRIBUTES 






524 













APPLICATION SERVER 
500 



APPLICATION 

SERVER 
PRIVATE KEY 
502 



TARGET 
LEGACY 
APPLICATIONS 
526 



FIG. 5 



U.S. Serial Number 09/821 ,079 Atty. Docket # AUS92001 0064US1 
Benantar 

Method and system for public-key-based secure authentication to 
distributed legacy applications 

9/10 



BEGIN ^ 



CLIENT RETRIEVES PUBLIC KEY CERTIFICATE OF APPLICATION SERVER OR SERVICE 
602 

I 

USER PROVIDES AUTHENTICATION DATA FOR TARGET LEGACY APPLICATION 
604 

I 

CLIENT ENCRYPTS AUTHENTICATION DATA USING PUBLIC KEY OF 
APPLICATION SERVER 
606 

I 

CLIENT GENERATES ATTRIBUTE CERTIFICATE REQUEST CONTAINING 
ENCRYPTED AUTHENTICATION DATA 
608 

i 

CLIENT SENDS ATTRIBUTE CERTIFICATE REQUEST TO 
ATTRIBUTE CERTIFICATE AUTHORITY 

610 

1 

ATTRIBUTE CERTIFICATE AUTHORITY GENERATES ATTRIBUTE CERTIFICATE 
612 

i 

ATTRIBUTE CERTIFICATE AUTHORITY SENDS ATTRIBUTE CERTIFICATE TO CLIENT 
614 

i 

CLIENT STORES ATTRIBUTE CERTIFICATE FOR SUBSEQUENT USE 
616 

1 

END ^ 



FIG. 6 



U.S. Serial Number 09/821,079 Atty. Docket # AUS920010064US1 
Benantar 

Method and system for public-key-based secure authentication to 
distributed legacy applications 

10/10 



\^ 

CLIENT SENDS ATTRIBUTE CERTIFICATE TO APPLICATION SERVER 
702 

APPLICATION SERVER RETRIEVES ITS ENCRYPTED AUTHENTICATION DATA FROM 
ATTRIBUTE CERTIFICATE 

704 

I 

APPLICATION SERVER DECRYPTS ITS ENCRYPTED AUTHENTICATION DATA USING 
ITS PRIVATE KEY 

706 

I 

APPLICATION SERVER PARSES AUTHENTICATION DATA TO OBTAIN AUTHENTICATION 
DATA FOR TARGET LEGACY APPLICATION 

708 

I 

APPLICATION SERVER PRESENTS SPECIFIC USER AUTHENTICATION DATA TO 
TARGET LEGACY APPLICATION 

710 

TARGET LEGACY APPLICATION AUTHENTICATES USER 
712 



END ^ 



FIG. 7 



